In this era of digitalization in which peoples, governments and businesses have become highly vulnerable to increasingly pernicious attacks on cyberspace, Camarines Sur legislators are pressing the creation of a quick-response agency to craft and carry out a masterplan for building a robust defense infrastructure to shield individuals and organizations from cyberattacks.
These lawmakers led by Camarines Sur Rep. Migz Villafuerte, chairman of the House committee on information and communications technology (ICT), and Deputy Majority Leader Luigi Villafuerte, are proposing the establishment of the National Cybersecurity Agency (NCSA) to standardize protocols for threat detection, information sharing and incident response, along with protection of the country’s critical information infrastructure (CII).
They are pushing for a new office to handle cybersecurity as the Department of Information and Communications Technology (DICT) itself has warned of a possible cyberattack this week by way of a “traffic flood,” in which netizens might not be able to access websites, apps and online services.
The DICT posted on its website that it has monitored a possible Distributed Denial of Service (DDoS) or “traffic flood” tomorrow (Nov. 5), in which certain websites or apps might slow down or fail to load at once.
Following this DICT warning about a DDoS attack, Philippine National Police (PNP) acting chief Lt. Gen. Jose Melencio Nartatez, Jr. told the public this week in a press briefing in Camp Crame that the police was working with the DICT on implementing counter-measures, including beefing up firewalls and integrity of the PNP hardware and software systems.
Nartatez admitted that the PNP had, in the past, “been victims of cyberattacks. Our data was compromised, especially in logistics, firearms, and others. And we are continuously protecting that.”
Migz and Luigi Villafuerte said that three recent hacking incidents involving government agencies illustrate how cyber-attacks have become a major concern in the Philippines.
CII refers to the computer and ICT systems and processes essential to the continuous, hassle-free delivery of vital services in the Philippines that have become increasingly at risk from complex phishing, ransomware and social engineering attacks, along with the rise of new threats from Artificial Intelligence (AI) such as deepfakes.
In House Bill (HB) No. 2826, Migz and Luigi Villafuerte want their proposed NCSA, which shall be under the DICT, to put up a National Computer Emergency Response Team (NCERT) comprising cybersecurity experts, who, they said, “shall respond quickly to cybersecurity incidents of threatened organizations, with the aim of minimizing the damage and ensuring recovery of affected systems.”
This NCERT shall establish a liaison network of CERTs or computer emergency response teams among government agencies to support the implementation of the NCERT’s mandate, said the Villafuertes, who introduced HB 2826 with fellow CamSur Rep. Tsuyoshi Anthony Horibata and Bicol Saro Rep. Terry Ridon.
New legislation on cybersecurity is among the 44 priority measures under the Common Legislative Agenda (CLA) that President Marcos drew up with Congress leaders during the first Legislative-Executive Development Advisory Council (LEDAC) meeting under the 20th Congress last Sept. 30 at Malacañan Palace.
“We need to put front and center the protection of our online systems, networks and programs from attacks from threat actors who aim to access, alter or destroy sensitive information, extort money from cyber players through ransomware and/or disrupt normal government or business processes,” Migz said.
“Hence, the immediate congressional passage of HB 2826, or ‘The Cybersecurity Act,’ is earnestly sought to secure the Philippines’ digital future and make sure that our country is adequately prepared to confront and overcome the complex challenges of the modern cyber environment,” Migz added.
Luigi explained that phishing involves duping people to download viruses or malware (malicious software) through fraudulent links in assorted channels like emails, mobile phone texts and websites, while ransomware involves encrypting through malware the data of persons or organizations to restrict access to their own files and systems and then demand ransom from these victims to get their data back.
Social Engineering, meanwhile, involves impersonating individuals so they can retrieve sensitive data from these targets through deception, such as pretending to be employees of banks or telecoms companies (telcos) to dupe their victims into giving them their personal passwords, Luigi said.
HB 2826 imposes administrative and criminal penalties on offenses, such as non-compliance, unauthorized disclosure of confidential information, and cyberattacks on CIIs.
Given that the main purpose of cybersecurity is to protect digital systems, networks, and data from theft, unauthorized access, and damage by ensuring the confidentiality, integrity, and availability of information, the Villafuertes said that the objectives of HB 2826 are:
· Data Protection – Shielding sensitive data, personally identifiable information (PII), intellectual property, and other critical information from theft, loss, or misuse;
· System and Network Security – Defending computer systems, networks, and connected devices (endpoints) from malicious attacks and unauthorized access; and
· User Protection – Safeguarding individuals and organizations from identity theft, fraud, and other harms that can arise from cyberattacks.
On top of liasoning with the network of CERTs among government agencies to support the bill’s mandate, the NCERT is tasked by HB 2826 to perform vulnerability assessment and penetration testing initiatives to detect, identify and analyze cyber threats and to properly attribute cyber-attacks against CIIs.
The bill envisions the proposed NCERT to: (1) have a robust incident response capability to promptly detect, analyze and mitigate cyber incidents affecting national security or public interest; and (2) work closely with relevant government agencies, private sector entities and international partners for coordinated incident response.
Migz and Luigi Villafuerte said that three recent hacking incidents involving government agencies illustrate how cyber attacks have become a major concern in the Philippines.
In October, cyber security advocacy group Deep Web Konek said that a threat actor using the alias “0xSeve” claimed responsibility for a huge data breach involving the Full Disclosure Policy Portal (FDPP)—a website of the Department of the Interior and Local Government (DILG) for promoting transparency and accountability among local government units (LGUs)—allegedly exposing some 22 gigabytes of internal data containing more than 40 million FDPP records.
Previous to that hacking incident, Deep Web Konek said that a group calling itself the Darkframe Cyber Alliance, claimed responsibility for defacing the website of the Department of Public Works and Highways (DPWH) during the nationwide protest last Sept. 21 against the alleged massive corruption in the DPWH’s flood control projects.
Deep Web Konek had likewise reported a separate hacking by a threat actor using the name “Dedsec_Manila” who claimed responsibility for a data breach in the DICT’s own eGov.PH platform, allegedly exposing the records of about 30,000 complainants.
Luigi said these above-mentioned data breaches by three threat actors who had exploited existing gaps in our cyber defense infrastructure “not only jeopardize the confidentiality, integrity and availability of critical information systems, but also erode public trust in government institutions and digital services.”
“Considering the transnational and rapidly evolving nature of cyber risks, there is an urgent need for a more integrated and adaptive cybersecurity governance strategy, which HB 2826 aims for our proposed NCSA to craft and implement,” Luigi added.
HB 2826 mandates all national government agencies (NGAs), government-owned and -controlled corporations (GOCCs), and LGUs to adopt cybersecurity baselines and designate Chief Information Security Officers in their respective offices to ensure institutional resilience.
HB 2826 imposes administrative and criminal penalties on offenses, such as non-compliance, unauthorized disclosure of confidential information, and cyberattacks on CIIs.
Violations with intent to intimidate the public or destabilize national structures may be prosecuted under the Anti-Terrorism Act.
Individuals who either willfully or through negligence cause the unauthorized disclosure of confidential or sensitive information shall face jail time of 6 to 12 years and/or a fine of at least P500,000.
Any unauthorized disclosure of confidential or sensitive information affecting national defense or national security, with intent or reason to believe that the same is to be used to the injury of the Philippines or to the advantage of any foreign nation or enemy of the State, whether domestic or foreign, shall be subject to a penalty of life imprisonment and/or a fine of not less than P1 million.
A CII operator‘s willful disregard of a lawful order given by NCSA to comply with this Act and its implementing rules and regulations within a reasonable time frame will result in the CII operator’s license being revoked on grounds of non-compliance to a regulatory requirement.
Earlier, Migz said the House ICT committee that he chairs is crafting an AI framework to curb deepfakes or AI-generated fakery and other forms of cyber fraud spawned by the all-pervasive digital technology.
He said that, “President Marcos is spot on in stressing in a recent ICT event that while AI offers breakthroughs for our country to become digitally empowered, inclusive and future-ready in the digital age, Filipinos need to be extra vigilant against the risks that come with this cutting-edge technology that poses serious threats to privacy and jobs.”
Migz and Luigi along with Horibata and Ridon are also calling for the enactment of a Bill of Rights on AI—as they proposed in HB 2827—to prop up the government’s National AI Strategy for the Philippines (NAIS Ph) by providing the guiding principles to ensure that this fast-evolving technology is always “accessible, ethical and responsive” in serving the material needs of society.
The proposed framework under HB 2827, or the “Artificial Intelligence (AI) Development and Regulation Act,” is contingent on establishing four (4) institutions to implement and oversee policies meant for the government to best adapt to the fast-paced evolution of AI and AI systems.
These include the: [1] Philippine Council on Artificial Intelligence (PCAI), which will serve as a policy-making and advisory body of experts under the Department of Information and Communications Technology (DICT); and [2] Artificial Intelligence Board (AIB), composed of the DICT Secretary as chairperson and the Secretary of the Department of Science and Technology (DOST) as co-chairperson, to exercise regulatory and supervisory authority over the development of Al systems;
The two others are the: [3] National Center for Artificial Intelligence Research (NCAIR), which will be a DOST-attached agency primarily responsible for policy and program coordination; and [4] National Innovation Council (NIC), which shall promote synergy among the government and private sector and the academe on the development of AI.
“AI holds great promise for significant advancements in various aspects of human life, but it at the same presents an outspread of risks, including privacy and security violations, misinformation and disinformation, job displacement, potential bias and discrimination of algorithms, and intellectual property infringement,” Migz Villafuerte said.
“The 20th Congress needs to craft a set of rules and regulations on AI control as this disruptive technology has been linked to the proliferation of deepfakes or AI fakery aimed at manipulating and deceiving the public, which can have serious political and social implications,” Migz said.
Luigi said that, given the harm that the misuse of AI poses to public welfare, “the DOST has drawn up a NAIS Ph—and which the President subsequently approved—to guide the country on developing, deploying and governing AI in the country until 2028.”
